cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
379
Views
0
Helpful
5
Replies

ASA Routing Problem

abernathy
Level 1
Level 1

I have three networks at work, 172.31.101.0, 172.31.102.0, and 172.31.103.0

172.31.101.0 is where all of my servers reside.

I have IP Cameras at all three site.  When I use cisco anyconnect to start a VPN session I am only able to see the cameras on the 172.31.101.0 network.

 

I am pretty new to this but it seems like I am missing some routes somewhere.

 

Thanks for your help.

Mike

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Do your two remote sites connect to the main site via site-site VPN in the same firewall as your remote access VPN? If so, what you're trying to do is known as "hairpinning" and the VPNs need to be setup to allow it.

Basically you need to make sure the networks are allowed in the routes pushed to the client, allow traffic to go back out the same interface it enters on, add the remote access client subnet to the remote net in the access-list for the site-site VPN and make sure it's exempted from NAT. 

There are many articles around detailing how to set this up. One I think is particularly well done is over at packetu.com (link).

Hope this helps.

Yes,

All three sites are connected via an MPLS.

I will review the link and post back.  Right now I am having issues with ASDM. I think it's a Java problem though...joy

If the sites are connected via MPLS (and not a site-site VPN that also terminates on the ASA) then more simple routing is most likely your issue.

You can check the routes you're getting while on VPN by opening the AnyConnect GUI and clicking the settings (gear) icon and then looking at VPN, Route Details. You'll need to be getting either a default route (i.e. no split tunnel) or a specified route (or routes) that includes the target subnets.

If that looks good then it's probably routing across the MPLS cloud failing to advertise your address pool for the VPN clients.

Thank you,

Can you give more detail on where I would look within the ASDM GUI.

Thanks

Mike

I had mentioned the AnyConnect GUI, i.e. - see screenshot below.

Those routes are configured in ASDM via "Configuration > Remote Access VPN > Anyconnect Connection Profiles" Check which group policy your connection profile uses. Then go under that Group Policy and select Edit. Expand the Advanced Menu and examine the Split Tunneling settings. The policy should be "Tunnel Network List Below" and the Network List calls out an access-list that specifies your networks that the VPN can access.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: